Python使用ldap3认证
一、安装ldap3模块(python版本为python3以上,Django=1.11.8)
pip install ldap3
二、相关代码
#!/usr/bin/python3 # -*- coding: utf-8 -*- from ldap3 import Server, Connection, ALL, SUBTREE, ServerPool, ALL_ATTRIBUTES LDAP_SERVER_POOL = ["172.17.0.10"] LDAP_SERVER_PORT = 389 ADMIN_DN = "admin@testdomain.com" ADMIN_PASSWORD = "" SEARCH_BASE = "ou=Users,dc=testdomain,dc=com" def ldap_auth(username, password): ldap_server_pool = ServerPool(LDAP_SERVER_POOL) conn = Connection(ldap_server_pool, user='{}@testdomain.com'.format(username), password=password, check_names=True, lazy=False, raise_exceptions=False) conn.open() conn.bind() res = conn.search( search_base=SEARCH_BASE, search_filter='(sAMAccountName={})'.format(username), search_scope=SUBTREE, attributes=['cn', 'givenName', 'mail', 'sAMAccountName', 'memberOf'], #ALL_ATTRIBUTES:获取所有属性值 # attributes=ALL_ATTRIBUTES, paged_size=5 ) if res: entry = conn.response[0] dn = entry['dn'] attr_dict = entry['attributes'] # check password by dn try: conn2 = Connection(ldap_server_pool, user=dn, password=password, check_names=True, lazy=False, raise_exceptions=False) conn2.bind() if conn2.result["description"] == "success": if 'CN=upload,OU=Users,DC=testdomain,DC=com' in attr_dict.get('memberOf'): print((True,attr_dict["sAMAccountName"], attr_dict["mail"], attr_dict["cn"],attr_dict["department"], attr_dict["givenName"])) return (True, attr_dict.get('cn'), None) else: return (False, attr_dict.get('cn'), '没有权限访问') else: return (False, None, '用户名或密码错误') except Exception as e: return (False, None, '用户名或密码错误') else: return (False, None, '用户名或密码错误') if __name__ == "__main__": ldap_auth("admin", "123456")
#!/usr/bin/python3 # -*- coding: utf-8 -*- # from ldap3 import Server, Connection, ALL, NTLM from ldap3 import Server, Connection, ALL, SUBTREE, ServerPool, ALL_ATTRIBUTES import json LDAP_SERVER_POOL = ["172.18.188.7"] LDAP_SERVER_PORT = 389 ADMIN_DN = "admin@southpark.com" ADMIN_PASSWORD = "" SEARCH_BASE = "ou=south,dc=southpark,dc=com" class Operate_AD(object): def __init__(self, Domain, User, Password): self.domain = Domain self.user = User self.pwd = Password self.DC = ','.join(['DC=' + dc for dc in Domain.split('.')]) self.pre = Domain.split('.')[0].upper() self.ldap_server_pool = ServerPool(LDAP_SERVER_POOL) # self.server = Server(self.domain, use_ssl=True,get_info=ALL) # self.conn = Connection(self.ldap_server_pool, user=ADMIN_DN, password=ADMIN_PASSWORD, check_names=True, # lazy=False, # raise_exceptions=False) # self.conn.open() # self.conn.bind() # self.conn = Connection(self.ldap_server_pool, user='{}@{}'.format(self.user, self.domain), password=self.pwd, # check_names=True, # lazy=False, # raise_exceptions=False) # self.conn.open() # self.conn.bind() try: self.conn = Connection(self.ldap_server_pool, user=self.pre + '\\' + self.user, password=self.pwd, auto_bind=True) except Exception as e: print(e) def Get_UserInfo(self): """ 搜索用户信息 :return: """ resuser = self.conn.search( # search_base=self.DC, search_base=SEARCH_BASE, # search_filter='(sAMAccountName={})'.format(username), search_filter='(&(objectCategory=person)(objectClass=user)(sAMAccountName={}))'.format(self.user), search_scope=SUBTREE, attributes=['cn', 'givenName', 'mail', 'sAMAccountName', 'memberOf'], # ALL_ATTRIBUTES:获取所有属性值 # attributes=ALL_ATTRIBUTES, paged_size=5 ) if resuser: entry = self.conn.response[0] dn = entry['dn'] attr_dict = entry['attributes'] print(dn) return attr_dict def Get_ALL_GroupInfo(self): """ 搜索所有组信息 :return: """ resgroup = self.conn.search( # search_base=self.DC, search_base=SEARCH_BASE, search_filter='(objectclass=group)', search_scope=SUBTREE, attributes=['cn', 'member', 'objectClass', 'userAccountControl', 'sAMAccountName', 'description'], # ALL_ATTRIBUTES:获取所有属性值 # attributes=ALL_ATTRIBUTES, paged_size=10 ) if resgroup: print(self.conn.entries) print(self.conn.response) for i in self.conn.response: print(i['attributes']) print(json.loads(self.conn.response_to_json()).get('entries')) # entry = self.conn.response[0] # attr_dict = entry['attributes'] # print(attr_dict) def userauth(self): # check password by dn entry = self.conn.response[0] dn = entry['dn'] try: conn2 = Connection(self.ldap_server_pool, user=dn, password=self.pwd, check_names=True, lazy=False, raise_exceptions=False) if conn2.result["description"] == "success": print('认证成功') return (True, None) else: print('用户名或密码错误') return (False, None, '用户名或密码错误') except Exception as e: print(e) return (False, None, '用户名或密码错误') # class Operate_AD(): # def init(self, Domain, User, Password): # # self.domain = Domain # self.user = User # self.pwd = Password # self.DC = ','.join(['DC=' + dc for dc in Domain.split('.')]) # self.pre = Domain.split('.')[0].upper() # self.server = Server(self.domain, use_ssl=True, get_info=ALL) # self.conn = Connection(self.server, user=self.pre + '\\' + self.user, password=self.pwd, auto_bind=True) # # def Get_All_UserInfo(self): # ''' # 查询组织下的用户 # org: 组织,格式为:aaa.bbb 即bbb组织下的aaa组织,不包含域地址 # ''' # att_list = ['displayName', 'userPrincipalName', 'userAccountControl', 'sAMAccountName', 'pwdLastSet'] # # org_base = ','.join(['OU=' + ou for ou in org.split('.')]) + ',' + self.DC # res = self.conn.search(search_base=self.DC, search_filter='((objectclass=person))', attributes=att_list, # paged_size=100, # search_scope='SUBTREE') # if res: # for users in self.conn.entries: # yield users # else: # print('查询失败: ', self.conn.result['description']) # return None # # def Get_All_GroupInfo(self): # ''' # 查询组织下的组 # org: 组织,格式为:aaa.bbb 即bbb组织下的aaa组织,不包含域地址 # ''' # att_list = ['cn', 'member', 'objectClass', 'userAccountControl', 'sAMAccountName', 'description'] # # org_base = ','.join(['OU=' + ou for ou in org.split('.')]) + ',' + self.DC # res = self.conn.search(search_base=self.DC, search_filter='(objectclass=group)', attributes=att_list, # paged_size=10, # search_scope='SUBTREE') # if res: # for group in self.conn.entries: # yield group # else: # print('查询失败: ', self.conn.result['description']) # return None # # # if __name__ == '__main__': # act = Operate_AD('demo.com', 'testaccount', 'testpassword') # for user in act.Get_All_UserInfo(): # print(user) # for group in act.Get_All_GroupInfo(): # print(group) if __name__ == '__main__': res = Operate_AD('southpark.com', 'admin', '123456') # res.Get_UserInfo() # res.userauth() res.Get_ALL_GroupInfo()
官方文档链接:
https://ldap3.readthedocs.io/en/latest/
https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax #ldap search_filter语法
浙公网安备 33010602011771号